Crypt::OpenSSL::PKCS12 versions prior to 1.96 contain a flaw in the print_attribute() routine. The routine copies a UTF8STRING ASN.1 attribute value into a heap buffer sized exactly to its declared length using strncpy, producing a buffer without a terminating NUL character. Later code calls strlen() on this buffer and passes the inflated length to newSVpvn(), which then copies adjacent heap bytes that were not part of the intended attribute into a Perl scalar. This out‑of‑bounds read can expose arbitrary data that resides next to the buffer in memory, such as sensitive credentials or cryptographic material, and is classified as CWE‑125.

Crypt::OpenSSL::PKCS12 modules from JONASBN that are older than version 1.96 for Perl are affected. Every build of the module before 1.96 contains the vulnerable print_attribute implementation and is therefore susceptible to the heap OOB read.

Exploitation requires an attacker to supply a crafted PKCS12 file that triggers print_attribute(). The vector exists in any application that processes PKCS12 inputs without validation using the vulnerable module. No publicly disclosed exploits are known, the EPSS score is unavailable, and the issue is not listed in the CISA KEV catalog. The lack of a CVSS rating precludes a formal severity level, but the potential for arbitrary memory disclosure represents a significant information‑leak risk. The likely attack path is via an application’s handling of malicious PKCS12 data.